Wednesday, March 20, 2019

Threat Hunting in Firewall Logs

Tactics Summary

Initial Access, C&C, Data Exfil can be seen in the Firewall logs.

Egress Traffic

The objective is to identify anomalies not automatically classified bad traffic. It is not possible to positively and without question find evil with no false positives or false negatives. It should, however, increase your efficiency in finding things that violate your policies or possibly indicate a compromise.

Ingress Traffic
  • Geo-source Location : Traffic from unexpected locations
  • Network flow baselines: You can’t know what’s anomalous until you know what’s normal
  • What does traffic in and out of your desktop networks look like? These will necessarily differ significantly from your server networks, which need the same sort of attention.
  • Compromised systems may start sending out traffic that doesn’t look like the rest of your traffic.
  • Examine all HTTP traffic like (SSH, SMTP, IRC, RDP,..) from internal subnet with suspicion
  • Protocol-port mismatches: Having HTTP traffic on high ports, or maybe even something like SSH on TCP 80? Attackers often like to overload TCP 80 to slip through loosely secured perimeter networks.
  • Direct IP connections, typically for malware that doesn’t make use of DNS
  • Web requests with an unusual HTTP protocol version
  • Excessive size or a repeating pattern in the size of HTTP requests
  • Persistent connections to HTTP servers on the internet, even outside regular office hours
  • Requests to a social network site outside regular office hours. Attackers can encode their commands textually in a page on a social network and present them like legitimate messages.
  • Firewall log entries indicating outbound IRC or P2P traffic

Source IP, Destination IP, Destination Port can be correlated with other sources like DNS, Web server, Proxy, VPN like logs to obtain more context.